OneLogin is a cloud Identity Provider (IDP) that supports SAML 2.0, OAuth, and OpenID Connect flows. I recently had a customer ask how they could leverage their identities in OneLogin to authenticate to Oracle Cloud services. The answer was to federate with IDCS with SCIM for automated user provisioning.
What you will need
- Access to Identity Cloud Service with administrator privileges
- A OneLogin account with permissions to add applications and users
Create a Confidential Application in IDCS
- Open the menu by clicking the icon in the top-left corner of the IDCS Admin Console. Click Applications.
- Under the Applications header at the top of the window, click + Add and select Confidential Application when in the modal window that appears.
- Enter a display name for the application in the Name text box and optionally enter a description and Application Icon if desired. Click Next >.
- Select the Configure this application as a client now radial button to display options for application configuration. Check the box for Client Credentials as the Allowed Grant Types.
- Allowing the Client Credentials grant will allow OneLogin provisioning to authenticate with the generated Client ID and Client Secret associated with this application.
- Scroll down under Token Issuance Policy and under Grant the client access to Identity Cloud Service Admin APIs click + Add. Select User Administrator and click Add.
- Click Next > through the remaining steps and finally Finish to complete configuring the confidential application. Note the Client ID and Client Secret at the end of the configuration as they will be used later. Remember to hit Activate to enable the application.
Configure OneLogin as the Identity Provider (1/2)
- In the Administration dashboard, mouse over Applications, click Applications, and click the Add App button.
- In the search box, search for SCIM Provisioner with SAML (SCIM v2 Core) application and click on it. Optionally, change the Display Name, Icons, Description, and Visibility or leave the default entries and click Save.
- In the current application details page, select the Parameters tab from the options on the left side of the window. Ensure NameID is set to Email and add First Name and Last Name as custom parameters using the + symbol. Enter the field name (First Name or Last Name) and check the boxes to include the field in the SAML assertion. Click Save and then select the matching value in the dropdown before clicking Save.
- This post assumes that OneLogin uses the user's email address as their unique identifier. If that is not the case, then the NameID will need to be set to the attribute that is the unique identifier. IDCS will read the SAML assertion and use this field to identify the user that is being granted access.
- First Name and Last Name are required identity attributes in IDCS.
- Navigate to the SSO tab and set SAML Signature Algorithm to SHA-256. Click on the View Details link under X.509 Certificate, saving if prompted.
- Set SHA fingerprint to SHA256 if it is not already. Click the name of the application that was added previously under Apps using this certificate to return to the application details.
- Under the More Actions menu in the top right corner of the UI, click SAML Metadata to download the application metadata.
Configure IDCS as the Service Provider
- From the menu expand the Security tab and select Identity Providers, then click the +Add SAML IDP button.
- Enter a display name for OneLogin in the Name field and add any other information as desired. The display name may be exposed to end users, so a descriptive name will be helpful. Click Next.
- Click Upload and select the metadata downloaded from OneLogin. Click Next >.
- In Identity Prover User Attribute select Name ID.
- By default OneLogin will send the subject of the SAML assertion in the NameID field.
- For Oracle Identity Cloud Service User Attribute select Username.
- In most cases the NameID will match the Username IDCS attribute. If that's not possible, another unique user attribute can be selected.
- For Requested NameID Format select Unspecified or Email Address depending on user IDs in OneLogin. Click Next. Note the values in the Export page and keep clicking Next until finished.
- Activate the Identity Provider.
Configure OneLogin as the Identity Provider (2/2)
- In OneLogin enter the application settings for the SCIM Provisioning application and go to Configuration.
- Under SAML Audience URL enter the value from Provider ID in the IDCS Export window in the last step.
- Under SAML Consumer URL enter the value from IDCS Assertion Consumer Service URL.
- Save the configuration.
Configure the OneLogin Application for SCIM
- In the OneLogin application on the Configuration tab, enter the base url for your IDCS instance with the path /admin/v1 under SCIM Base URL
- Under SCIM Bearer Token, you will need to enter the base64 encoded string of the Client ID and Client Secret from the IDCS confidential application created in the first section. The format will be ClientID:ClientSecret.
- Click the Enable button under API Connection.
- Select the Provisioning tab and click the Enable provisioning box. Click Save. You should now begin to see assigned users being provisioned in the Users tab. By default OneLogin awaits approval in the application Users tab before provisioning.
Set OneLogin to Appear on the IDCS Sign-On Page
- In IDCS, open the top-left menu and expand the Security tab. Click IDP Policies.
- IDP policies allow you to give users access to different IDPs depending on how/what they're logging into.
- The Default IDP Policy is used unless a more specific policy is added to manage specific applications.
- Click on Default Identity Provider Policy, then the Identity Provider Rules tab, and Edit from the menu to the right of Default IDP Rule.
- Click in the Assign Identity Providers box and select the OneLogin IDP from the drop down.
- Click Save.
The end state of this is being able to log into IDCS through OneLogin. When accessing any applications and services protected by IDCS, your end users will be presented with this screen:
The user can select the OneLogin button to be passed to OneLogin's sign-in page.
If you want all users to be forced to authenticate through OneLogin or another Identity Provider, you can use an IDP Policy to pass all users to the desired provider as described here.
Once this configuration is complete, you will be able to authenticate users to IDCS via OneLogin. This allows your organization the ability to use identities created in OneLogin to access Oracle Cloud services. End users can access Oracle Platforms as a Service such as Integration Cloud and Analytics Cloud, enterprise applications such as E-Business Suite behind the IDCS App Gateway, and any number of applications from the IDCS App Catalog.